summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Revert "Moves supported python runtimes from version 3.8 to 3.10"HEAD4.2.0masterGhanshyam2023-05-051-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 67a3d3b0db462949ebcc07f9b7c45559a29fde1f. Keeping Python 3.10 in setup.cfg classifier and zuul.yaml changes. Reason for revert: Needed-By: https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/882175 TC has been discussing about re-adding the python 3.8 testing in current master 2023.2 release testing. - https://meetings.opendev.org/meetings/tc/2023/tc.2023-04-25-18.00.log.html#l-191 - https://lists.openstack.org/pipermail/openstack-discuss/2023-April/033469.html While governance changes are under review, TC agreed to add py3.8 testing so that we do not see more project/lib dropping python 3.8 and make them uninstalable on python 3.8 - https://meetings.opendev.org/meetings/tc/2023/tc.2023-05-02-18.00.log.html#l-17 - https://review.opendev.org/c/openstack/governance/+/882165 Also adding py3.8 testing back in job https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/882175 Change-Id: I50a55442701be16bae3b7ae2035743b9f174dcfd
* Moves supported python runtimes from version 3.8 to 3.10Hervé Beraud2023-04-102-12/+12
| | | | | | | | Within 2023.2 python version 3.9 and 3.10 are the supported python runtimes [1]. [1] https://review.opendev.org/c/openstack/governance/+/872232 Change-Id: I82682282703def588ce95b9b0067651ccf5ce924
* Fix deprecated rule logic if the rule was deleted in policy directory.Mitya_Eremeev2023-03-031-0/+1
| | | | | | | | | | | | | | | | | The bug scenario: - define deprecated rule in policy folder - start a service - enforce policies - remove the rule in policy folder - enforce policies New default is applied to the rule, but new and old defaults should be applied (OR logic) The patch fixes it. Closes-Bug: 1977549 Change-Id: If11fe2da1163d6d3f16d133aeb207a055cf30de4
* Update master for stable/2023.1OpenStack Release Bot2023-02-242-0/+7
| | | | | | | | | | | | Add file to the reno documentation build to show release notes for stable/2023.1. Use pbr instruction to increment the minor version number automatically so that master versions are higher than the versions on stable/2023.1. Sem-Ver: feature Change-Id: I279a3b56f331ad2dcafd624f0d8ea166713a58c5
* Fix py38 jobs by using focal rather than jammy4.1.1Hervé Beraud2023-02-171-1/+3
| | | | | | Related to https://lists.openstack.org/pipermail/openstack-discuss/2023-February/032247.html Change-Id: Icf66914c2b5b6221e55595c01d018617b224c6ea
* Imported Translations from Zanata4.1.0OpenStack Proposal Bot2022-10-172-11/+33
| | | | | | | For more information about this automatic import see: https://docs.openstack.org/i18n/latest/reviewing-translation-import.html Change-Id: Ib11f5c8095c075170575ecaf635e6ce30bd3d789
* Add Python3 antelope unit testsOpenStack Release Bot2022-09-091-1/+1
| | | | | | | | | | | This is an automatically generated patch to ensure unit testing is in place for all the of the tested runtimes for antelope. See also the PTI in governance [1]. [1]: https://governance.openstack.org/tc/reference/project-testing-interface.html Change-Id: Ied1dbd4a6751b8a9bded9569eb5ea76e72d0b3f4
* Update master for stable/zedOpenStack Release Bot2022-09-092-0/+7
| | | | | | | | | | | | Add file to the reno documentation build to show release notes for stable/zed. Use pbr instruction to increment the minor version number automatically so that master versions are higher than the versions on stable/zed. Sem-Ver: feature Change-Id: Ib8774b60b82602c4a22c622ebe623e348d0f1f2d
* Fix generation of sample policy files4.0.0Pierre Riteau2022-05-251-2/+3
| | | | | | | | | | | | | Generation of sample policy files was broken when exclude_deprecated was added as an extra argument to the generate_sample function in I6d02eb4d8f94323a806fab991ba2f1c3bbf71d04. It was passed as the fourth argument, which is actually include_help. Because it defaults to False, this turned sample policy files into actual policy files. Fix by using keyword arguments instead. Change-Id: I5478b1c8e7fd2f1b01f63602998194bab3683f7c Closes-Bug: #1975682
* Drop python3.6/3.7 support in testing runtimeHervé Beraud2022-05-051-3/+1
| | | | | | | | | | In Zed cycle testing runtime, we are targetting to drop the python 3.6/3.7 support, project started adding python 3.8 as minimum, example nova: - https://github.com/openstack/nova/blob/56b5aed08c6a3ed81b78dc216f0165ebfe3c3350/setup.cfg#L13 Change-Id: Icd143d8880666c1282e1e7821c108ab3e4de7813
* Only pass exclude-deprecated when True3.12.1whoami-rajat2022-04-283-10/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The '--exclude-deprecated' parameter should only be passed to oslo.config to parse when it is True. The final generated sphinx syntax is[1] where [--exclude-deprecated] doesn't require True/False value and only should be passed when True. The change introducing this[2] causes parsing issue in oslo.config[3] while checking <bool>.startswith (we pass True/False value) and even after that while calling argparse[4] with following error[5]. [1] usage: sphinx-build [-h] [--config-dir DIR] [--config-file PATH] [--exclude-deprecated] [--format FORMAT] [--namespace NAMESPACE] [--noexclude-deprecated] [--output-file OUTPUT_FILE] [2] https://review.opendev.org/c/openstack/oslo.policy/+/830514 [3] https://opendev.org/openstack/oslo.config/src/branch/master/oslo_config/cfg.py#L2937 [4] https://opendev.org/openstack/oslo.config/src/branch/master/oslo_config/cfg.py#L2960 [5] > /usr/lib/python3.8/argparse.py(1781)parse_args() -> if argv: (Pdb) > /usr/lib/python3.8/argparse.py(1782)parse_args() -> msg = _('unrecognized arguments: %s') (Pdb) > /usr/lib/python3.8/argparse.py(1783)parse_args() -> self.error(msg % ' '.join(argv)) (Pdb) TypeError: sequence item 0: expected str instance, bool found > /usr/lib/python3.8/argparse.py(1783)parse_args() -> self.error(msg % ' '.join(argv)) Handler <function generate_sample at 0x7fc0d6697d30> for event 'builder-inited' threw an exception (exception: sequence item 0: expected str instance, bool found) Closes-Bug: #1970725 Change-Id: I95745b8d1cbdb6a7cf442d431a998b7e3ff600e4
* Merge "make deprecated rule examples explicit"3.12.0Zuul2022-04-257-25/+102
|\
| * make deprecated rule examples explicitJulia Kreger2022-02-227-25/+102
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Deprecated rules can be confusing and downright unfriendly when evaluating a generated sample output and seeing legacy rules being aliased to new rules. Technically this is also invalid and results in a broken sample file with overriding behavior. Under normal circumstances, this wouldn't be a big deal, but with the Secure RBAC effort, projects also performed some further delineation of RBAC policies instead of performing a 1:1 mapping. As a result of the policy enforcement model, a prior deprecated rule was required, which meant the prior deprecated rule would be reported multiple times in the output. Since we don't have an extra flag in the policy-in-code definitions of policies, all we can *really* do is both clarify the purpose and meaning of the entry, not enable the alias by default in sample output (as it is a sample! not an override of code!), and provide projects as well as operators with a knob to exclude deprecated policy inclusion into examples and sample output. Closes-Bug: #1945336 Change-Id: I6d02eb4d8f94323a806fab991ba2f1c3bbf71d04
* | Don't raise InvalidScope exception when do_raise=FalseSlawek Kaplonski2022-03-172-13/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | | In the Enforcer.enforce() method there is boolean parameter do_raise. When it is set to False, enforce() method should return True/False as an enforcement result and not raise exception. It works like that with PolicyNotAuthorized exception but since some time this method can also raise InvalidScope exception and in such case behaviour was different. This patch changes that behaviour so InvalidScope exception will also not be raised when do_raise=False. Closes-bug: #1965315 Change-Id: I37fd682ffa9d6f4c69698e1be42adac28bbfe72a
* | Add Python3 zed unit testsOpenStack Release Bot2022-03-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | This is an automatically generated patch to ensure unit testing is in place for all the of the tested runtimes for zed. See also the PTI in governance [1]. [1]: https://governance.openstack.org/tc/reference/project-testing-interface.html Change-Id: I9819bed88617605d40649bb5bdcf27723d48ea3a
* | Update master for stable/yogaOpenStack Release Bot2022-03-042-0/+7
|/ | | | | | | | | | | | Add file to the reno documentation build to show release notes for stable/yoga. Use pbr instruction to increment the minor version number automatically so that master versions are higher than the versions on stable/yoga. Sem-Ver: feature Change-Id: I35de33c2f540ceb76b0b12da5373545c15306f6d
* Merge "Fix formatting of release list"3.11.0Zuul2022-02-111-14/+14
|\
| * Fix formatting of release listPierre Riteau2022-02-071-14/+14
| | | | | | | | Change-Id: I09de011b77b49801da2a70eebacfab1d10de32d3
* | Expand set_defaults() to set other config default valueGhanshyam Mann2022-02-082-1/+27
|/ | | | | | | | | | | | | | Currently set_defaults() is only able to set the default value of policy_file config option. In future, for example scope config option like enforce_scope also needs to be override the default value per service (service ready with scope enable can set it to True and for other services it will be False as default in oslo.policy). To allow override the other config option, let's expand the existing set_defaults() method to do so. Change-Id: I72120efb7c55aab82b765237904c9ae6e91f6b6f
* Update python testing classifierdengzhaosen2021-12-211-0/+1
| | | | | | | | | | | | | | Yoga testing runtime[1] has been updated to add py39 testing as voting. Unit tests update are handled by the job template change in openstack-zuul-job - https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/820286 this commit updates the classifier in setup.cfg file. [1] https://governance.openstack.org/tc/reference/runtimes/yoga.html Change-Id: I977e8e5d1a4e4b4aeebf484cfb2fca28dec7b724
* Enforce scope check always when rule has scope_types set3.10.1Slawek Kaplonski2021-11-233-0/+24
| | | | | | | | | | | | | | | | Previously it was checked only for registered rules but not for rules which are subclasses of the BaseCheck class. Now it's checked for all rules which have scope_types set. It's required for e.g. Neutron as it is creating Check objects based on the defined policy rules to e.g. include in the check attributes like network's provider parameters, etc. Depends-On: https://review.opendev.org/c/openstack/neutron/+/815838 Depends-On: https://review.opendev.org/c/openstack/neutron/+/818725 Closes-Bug: #1923503 Change-Id: I55258c1f999c84220518d1fbbf5e1e514361cebe
* Increase timeout of the cross-neutron-tox-py38 jobSlawek Kaplonski2021-11-231-0/+1
| | | | | | | | | It seems that since some time that job is timing out. To fix that, this patch sets timeout for the cross-neutron-tox-py38 job to 3600 seconds which is the same value as configured for unit tests jobs in Neutron. Change-Id: If360a366b7299e36c80adaefe5baf559a5c16bdd
* Merge "Refactor scope enforcement in the Enforcer class"3.10.0Zuul2021-10-251-32/+34
|\
| * Refactor scope enforcement in the Enforcer classSlawek Kaplonski2021-10-051-32/+34
| | | | | | | | | | | | | | | | | | This patch moves code responsible for scope types enforcement to the separate method which can be reused in different places, like e.g. to enforce scope for instances of the BaseCheck class. Related-Bug: #1923503 Change-Id: I6fd671728582b2f60939764075a8e2a977e78b58
* | Merge "Add scope_types attribute to the BaseCheck class"Zuul2021-10-251-0/+2
|\ \ | |/
| * Add scope_types attribute to the BaseCheck classSlawek Kaplonski2021-10-051-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Neutron, based on the defined policy rules is creating check objects "in flight" to e.g. include check some object's attributes, like e.g. network's provider parameters. That use case requires that BaseCheck class and classes which inherits from it needs to have scope_types defined thus Neutron can set it for the Check based on the defined policy rule. This patch adds scope_types attribute to the BaseCheck class to make it available for use cases like described above. Related-Bug: #1923503 Change-Id: Ibf30d0ffa5e9b125742089705d3557c02a03bc43
* | Merge "Don't reset rules without overwriting"Zuul2021-10-251-2/+2
|\ \
| * | Don't reset rules without overwritingmitya-eremeev-22021-10-211-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If an user uses Enforcer without overwriting (Enforcer(overwrite=False)) we should not reset rules and only update loaded rules. Enforcer without overwriting is a weird behavior, but it is supported at this moment. Maybe it will be eliminated in future because it's misleading. Operator cannot conclude what rules are loaded by simply looking in config files. Change-Id: I2871407f8c7417a016415ccc166c1f37a9e17908 Closes-Bug: 1943584
* | | Merge "Rules in policy directory files can be deleted."Zuul2021-10-213-62/+77
|\ \ \ | |/ / | | / | |/ |/|
| * Rules in policy directory files can be deleted.Mitya_Eremeev2021-10-143-62/+77
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Policy directory files can only add new rules or update existing rules in cache, but cannot return back loaded rules in memory to their default value. This incorrect behavior was fixed in the patch. Member "_loaded_files" of class Enforcer should keep list of loaded policy config files paths. In fact if the same file is changed many times then the same file path is added many times. If a file is deleted it's path not deleted from "_loaded_files". The member is very misleading and is not used in code. So this member was deleted in the patch because of above mentioned resons. Change-Id: I9ede38d8cf2ae968d3d8c0b1240bd6a51e6aa931 Closes-Bug: 1943584
* | Merge "Add Python3 yoga unit tests"3.9.0Zuul2021-09-301-1/+1
|\ \
| * | Add Python3 yoga unit testsOpenStack Release Bot2021-09-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is an automatically generated patch to ensure unit testing is in place for all the of the tested runtimes for yoga. See also the PTI in governance [1]. [1]: https://governance.openstack.org/tc/reference/project-testing-interface.html Change-Id: I8b701dc843a96178cf3028d10c36af977b38739b
* | | Merge "Update master for stable/xena"Zuul2021-09-302-0/+7
|\ \ \ | |/ /
| * | Update master for stable/xenaOpenStack Release Bot2021-09-102-0/+7
| |/ | | | | | | | | | | | | | | | | | | | | | | Add file to the reno documentation build to show release notes for stable/xena. Use pbr instruction to increment the minor version number automatically so that master versions are higher than the versions on stable/xena. Sem-Ver: feature Change-Id: I90013a56029ff70d0112b56efd32c1d0a5a6f0e0
* | Merge "Map system_scope in creds dictionary"Zuul2021-09-293-28/+30
|\ \
| * | Map system_scope in creds dictionaryMichael Johnson2021-08-123-28/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | An earlier patch[1] added a mapping for context 'system_scope' to 'system' when enforce was called with a RequestContext object. However, enforce can also be called with a creds dictionary that may contain the context 'system_scope' element. When this occured, 'system_scope' was not mapped to 'system' and the enforce would fail with an InvalidScope exception. This patch moves the 'system_scope' mapping from only occuring with RequestContext objects to also map it when a creds dictonary is passed to enforce. [1] https://review.opendev.org/c/openstack/oslo.policy/+/578995 Change-Id: I83a22c3f825bad0c88018118f8630a20a445965e
* | | Clarify enforce_new_defaults help textLance Bragstad2021-09-091-1/+5
| |/ |/| | | | | | | | | | | | | The help text isn't clear what happens when enforce_new_defaults is False, which is the default behavior. Explicity call that out in the help text since it's important for users to understand that behavior. Change-Id: Iaed5682bc72f4c66adb9a40c6510b399314574df
* | Fix a typo in the document3.8.2zhaoleilc2021-07-211-1/+1
| | | | | | | | | | | | | | This patch changes 'oslopolicy-policy-generator' to 'oslopolicy-checker' in oslopolicy-checker.rst. Change-Id: I73621ced00404d164fdb23f077ee36fbb6faf717
* | Changed minversion in tox to 3.18.0yangyawei2021-06-071-3/+3
|/ | | | | | | | The patch bumps min version of tox to 3.18.0 in order to replace tox's whitelist_externals by allowlist_externals option: https://github.com/tox-dev/tox/blob/master/docs/changelog.rst#v3180-2020-07-23 Change-Id: I28abab34878d3c62a88be8894107f994d02c1c4f
* Merge "Replace getargspec with getfullargspec"3.8.1Zuul2021-05-261-6/+1
|\
| * Replace getargspec with getfullargspeclikui2021-05-121-6/+1
| | | | | | | | | | | | | | | | inspect.getargspec() is deprecated since py3 [1] https://docs.python.org/3/library/inspect.html#inspect.getargspec Change-Id: If7492d7f755c80687f867428d80e4efb1e1a5d57
* | setup.cfg: Replace dashes with underscoresyangyawei2021-05-141-4/+4
|/ | | | | | | | | | | | | | | | Setuptools v54.1.0 introduces a warning that the use of dash-separated options in 'setup.cfg' will not be supported in a future version [1]. Get ahead of the issue by replacing the dashes with underscores. Without this, we see 'UserWarning' messages like the following on new enough versions of setuptools: UserWarning: Usage of dash-separated 'description-file' will not be supported in future versions. Please use the underscore name 'description_file' instead [1] https://github.com/pypa/setuptools/commit/a2e9ae4cb Change-Id: I58b9521882d81ab508bb7ce28308d88771daf1fe
* Ussuri+ is python3 only and update python to python3dengzhaosen2021-05-061-1/+1
| | | | Change-Id: I8162d5c413de6a73614443fdcd30ee472cb81035
* Merge "Dropping lower constraints testing"3.8.0Zuul2021-04-193-57/+0
|\
| * Dropping lower constraints testingHervé Beraud2021-04-163-57/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | We facing errors related to the new pip resolver, this topic was discussed on the ML and QA team proposed to to test lower-constraints [1]. I propose to drop this test because the complexity and recurring pain needed to maintain that now exceeds the benefits provided by this mechanismes. [1] http://lists.openstack.org/pipermail/openstack-discuss/2020-December/019390.html Change-Id: Ifcaf6993517d02bf54cd144efd247832947a009f
* | Merge "Add debug log in pick_default_policy_file"Zuul2021-04-161-2/+12
|\ \ | |/ |/|
| * Add debug log in pick_default_policy_fileGhanshyam Mann2021-01-291-2/+12
| | | | | | | | | | | | | | | | | | We have many if else condition to pick the right policy filebut there is no debugging log to have useful info to know if expected policy file is not picked. Change-Id: I507c58a6dca06d0cc6f306bcd063c700c18cc5f7
* | Merge "Use py3 as the default runtime for tox"Zuul2021-04-161-1/+1
|\ \
| * | Use py3 as the default runtime for toxHervé Beraud2020-11-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Moving on py3 as the default runtime for tox to avoid to update this at each new cycle. Wallaby support officially the following runtimes [1]: - Python 3.6 - Python 3.8 During Victoria Python 3.7 was used as the default runtime [2] however this version isn't longer officially supported. [1] https://governance.openstack.org/tc/reference/runtimes/wallaby.html#python-runtimes-for-wallaby [2] https://governance.openstack.org/tc/reference/runtimes/victoria.html#python-runtimes-for-victoria Change-Id: I4a244fc6f2d0d614d579fb944255be728fee1d61
* | | Merge "Add Python3 xena unit tests"Zuul2021-04-161-1/+1
|\ \ \
View Lorry Controller Status